nfs/ssh woes
Hey folks,
about 2 months ago I sent out a call for help on this list which, like
most such calls I've made, was duly answered by a coule of folks,
especially James S. Then my baby son was born, and we went away for a
while, and when I came back home I rebooted all my machines, ended up
losing a bunch of personal mail, and my carefully setup system no
longer worked...
Goal: to set up an ssh-encrypted nfs which shares a directory on my
work computer (call it nfs.server) and either or both of two computers
at home (nfs.client).
Method: as described in James Strandboge's excellent article,
"Encrypted NFS with OpenSSH and Linux"
http://linuxtoday.com/security/2002021301020SCSV .
1. set up /etc/exports:
add this line:
/home/matt/Personal 128.100.34.9(rw,insecure,root_squash)
test it on the server:
mount -t nfs 128.100.34.9:/home/matt /mnt/nfs
--> works fine.
2. set up iptables. Add a file nfsforward.rul in /etc/ipmasq/rules:
# cat nfsforward.rul
# /sbin/iptables -A INPUT -i eth0 -p tcp -s mprice.dyndns.org --dport ssh -j ACCEPT
# /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport ssh -d mprice.dyndns.org -j ACCEPT
# /sbin/iptables -A INPUT -i eth0 -p tcp -s mprice.dyndns.org --dport 111 -j ACCEPT
# /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 111 -d mprice.dyndns.org -j ACCEPT
# /sbin/iptables -A INPUT -i eth0 -p tcp -s $MATTSIP --dport ssh -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp -s $MATTSIP --dport ssh -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp -d $MATTSIP --sport ssh -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp -s $MATTSIP --dport 111 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 111 -d $MATTSIP -j ACCEPT
... where $MATTSIP is passed to ipmasq whenever it's run (I have dns
-- and if I replace $MATTSIP with an ip address, the situation doesn't
change)
3. set up an ssh tunnel:
firct check server's ports:
rpcinfo -p 128.100.34.9:
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 914 status
100024 1 tcp 917 status
100005 1 udp 810 mountd
100005 2 udp 810 mountd
100005 1 tcp 813 mountd
100005 2 tcp 813 mountd
100003 2 udp 2049 nfs
100003 2 tcp 2049 nfs
ssh -f -c blowfish -L2818:128.100.34.9:2049 -L 3045:128.100.34.9:813 -l matt 128.100.34.9 /bin/sleep 86400
tried it with the -v switch enabled, didn't get any error messages, I
assume thetunnel is really being set up.
4. try to mount the directory on nfs.client:
# mount -t nfs -o tcp,port=2818,mountport=3045 128.100.34.9:/home/matt/Personal /mnt/nfs
mount: RPC: Remote system error - Connection refused
If I try to ssh and mountfrom nfs.server, I have the same problem,
though as I mentioned earlier a straight up nfs mount on nfs.server
works fine:
mount -t nfs 128.100.34.9:/home/matt/Personal /mnt/nfs
if I briefly disable iptables:
nfs.server# /etc/init.d/iptables stop (I know, this is STUPID!!!!)
and try to mount the directory from nfs.client, I get a slightly
different error :
nfs.client# mount -t nfs 128.100.34.9:/home.matt/Personal /mnt/nfs
mount: 128.100.34.9:/home/matt failed, reason given by server: Permission denied
I checked in hosts.allow and found both these listings (somewhat
overbroad, but hopefully not too terrible for the moment):
ALL: 128.100.34.9 localhost
ALL: 67.68.52.40
so I don't think the problem is there.
Question: where to look now? I feel like the problem's in the tunnel
-- or at least, there is some kind of problem with the tunnel -- but I
can't diagnose it myself. who can help??
thanks as ALWAYS,
matt
Reply to: